@pagopa/io-react-native-wallet 3.3.0 → 3.4.0

package/src/credential/issuance/v1.0.0/03-complete-user-authorization.ts

@@ -7,7 +7,11 @@ import {
 import { hasStatusOrThrow } from "../../../utils/misc";
 import parseUrl from "parse-url";
 import type { DcqlQuery } from "dcql";
-import { IssuerResponseError, ValidationFailed } from "../../../utils/errors";
+import {
+  IssuerResponseError,
+  UnimplementedFeatureError,
+  ValidationFailed,
+} from "../../../utils/errors";
 import {
   decode,
   SignJWT,
@@ -70,7 +74,7 @@ export const buildAuthorizationUrl: IssuanceApi["buildAuthorizationUrl"] =
     return { authUrl };
   };
 
-export const completeUserAuthorizationWithQueryMode: IssuanceApi["completeUserAuthorizationWithQueryMode"] =
+export const completePidUserAuthorizationWithQueryMode: IssuanceApi["completePidUserAuthorizationWithQueryMode"] =
   async (authRedirectUrl) => {
     Logger.log(
       LogLevel.DEBUG,
@@ -81,6 +85,14 @@ export const completeUserAuthorizationWithQueryMode: IssuanceApi["completeUserAu
     return parseAuthorizationResponse(query);
   };
 
+export const completeEaaUserAuthorizationWithQueryMode: IssuanceApi["completeEaaUserAuthorizationWithQueryMode"] =
+  () => {
+    throw new UnimplementedFeatureError(
+      "completeEaaUserAuthorizationWithQueryMode",
+      "1.0.0"
+    );
+  };
+
 export const getRequestedCredentialToBePresented: IssuanceApi["getRequestedCredentialToBePresented"] =
   async (issuerRequestUri, clientId, issuerConf, appFetch = fetch) => {
     Logger.log(
@@ -130,7 +142,7 @@ export const completeUserAuthorizationWithFormPostJwtMode: IssuanceApi["complete
     requestObject,
     _issuerConfig,
     pid,
-    { wiaCryptoContext, pidKeyTag, appFetch = fetch }
+    { wiaCryptoContext, appFetch = fetch }
   ) => {
     Logger.log(
       LogLevel.DEBUG,
@@ -139,7 +151,7 @@ export const completeUserAuthorizationWithFormPostJwtMode: IssuanceApi["complete
 
     const dcqlQueryResult = await RemotePresentationFlow.evaluateDcqlQuery(
       requestObject.dcql_query as DcqlQuery,
-      [[pidKeyTag, pid]]
+      [pid]
     );
 
     const authRequestObject = {

package/src/credential/issuance/v1.0.0/index.ts

@@ -3,7 +3,8 @@ import { evaluateIssuerTrust } from "./01-evaluate-issuer-trust";
 import { startUserAuthorization } from "./02-start-user-authorization";
 import {
   continueUserAuthorizationWithMRTDPoPChallenge,
-  completeUserAuthorizationWithQueryMode,
+  completePidUserAuthorizationWithQueryMode,
+  completeEaaUserAuthorizationWithQueryMode,
   completeUserAuthorizationWithFormPostJwtMode,
   buildAuthorizationUrl,
   getRequestedCredentialToBePresented,
@@ -20,7 +21,8 @@ export const Issuance: IssuanceApi = {
   evaluateIssuerTrust,
   startUserAuthorization,
   buildAuthorizationUrl,
-  completeUserAuthorizationWithQueryMode,
+  completePidUserAuthorizationWithQueryMode,
+  completeEaaUserAuthorizationWithQueryMode,
   continueUserAuthorizationWithMRTDPoPChallenge,
   getRequestedCredentialToBePresented,
   completeUserAuthorizationWithFormPostJwtMode,

package/src/credential/issuance/v1.0.0/mappers.ts

@@ -9,6 +9,7 @@ export const mapToIssuerConfig = createMapper<
   const {
     oauth_authorization_server,
     openid_credential_issuer,
+    openid_credential_verifier,
     federation_entity,
   } = x.payload.metadata;
   return {
@@ -28,5 +29,9 @@ export const mapToIssuerConfig = createMapper<
       openid_credential_issuer.status_attestation_endpoint,
     nonce_endpoint: openid_credential_issuer.nonce_endpoint,
     federation_entity,
+    encrypted_response_enc_values_supported:
+      openid_credential_verifier?.authorization_encrypted_response_enc
+        ? [openid_credential_verifier.authorization_encrypted_response_enc]
+        : undefined,
   };
 });

package/src/credential/issuance/v1.3.3/02-start-user-authorization.ts

@@ -88,7 +88,7 @@ export const startUserAuthorization: IssuanceApi["startUserAuthorization"] =
         signJwt,
       },
       clientAttestation: walletInstanceAttestation,
-      authorizationServer: issuerConf.authorization_endpoint,
+      authorizationServer: issuerConf.credential_issuer,
       signer: wiaSigner,
       jti: uuidv4(),
     });

package/src/credential/issuance/v1.3.3/03-complete-user-authorization.ts

@@ -6,30 +6,33 @@ import {
 import parseUrl from "parse-url";
 import type { DcqlQuery } from "dcql";
 import {
-  fetchAuthorizationRequest,
+  createAuthorizationResponse,
   parseAuthorizeRequest,
+  fetchAuthorizationResponse,
+  type CreateAuthorizationResponseResult,
 } from "@pagopa/io-wallet-oid4vp";
 import { sendAuthorizationResponseAndExtractCode } from "@pagopa/io-wallet-oid4vci";
+import type { jsonWebKeySet } from "@pagopa/io-wallet-oid-federation";
 import { parseMrtdChallenge } from "@pagopa/io-wallet-oauth2";
-import { SignJWT, type CryptoContext } from "@pagopa/io-react-native-jwt";
 import { AuthorizationError, AuthorizationIdpError } from "../common/errors";
 import { LogLevel, Logger } from "../../../utils/logging";
 import { RemotePresentation as RemotePresentationFlow } from "../../presentation/v1.3.3";
-import { partialCallbacks } from "../../../utils/callbacks";
-import { sdkConfigV1_3 } from "../../../utils/config";
 import {
-  IoWalletError,
-  sdkUnexpectedStatusCodeToIssuerError,
-} from "../../../utils/errors";
-import type { IssuanceApi } from "../api";
+  createVerifyJwtFromJwks,
+  partialCallbacks,
+} from "../../../utils/callbacks";
+import { sdkConfigV1_3, sdkConfigV1_4 } from "../../../utils/config";
+import { IoWalletError, IssuerResponseError } from "../../../utils/errors";
+import type { IssuanceApi, IssuerConfig } from "../api";
 import { mapToRequestObject } from "./mappers";
-import type { RemotePresentation } from "../../presentation";
+import type { RequestObject } from "../../presentation";
+import { hasStatusOrThrow } from "../../../utils/misc";
 
 export const continueUserAuthorizationWithMRTDPoPChallenge: IssuanceApi["continueUserAuthorizationWithMRTDPoPChallenge"] =
   async (authRedirectUrl) => {
     Logger.log(
       LogLevel.DEBUG,
-      `The requested credential is a PersonIdentificationData and requires MRTD PoP, starting MRTD PoP validation from auth redirect`
+      "The requested credential is a PID and requires MRTD PoP, starting MRTD PoP validation from auth redirect"
     );
     try {
       const parsedChallenge = parseMrtdChallenge({
@@ -65,11 +68,11 @@ export const buildAuthorizationUrl: IssuanceApi["buildAuthorizationUrl"] =
     return { authUrl };
   };
 
-export const completeUserAuthorizationWithQueryMode: IssuanceApi["completeUserAuthorizationWithQueryMode"] =
+export const completePidUserAuthorizationWithQueryMode: IssuanceApi["completePidUserAuthorizationWithQueryMode"] =
   async (authRedirectUrl) => {
     Logger.log(
       LogLevel.DEBUG,
-      `The requested credential is a PersonIdentificationData, completing the user authorization with query mode`
+      "The requested credential is a PID, completing the user authorization with query mode"
     );
     const query = parseUrl(authRedirectUrl).query;
 
@@ -80,7 +83,7 @@ export const getRequestedCredentialToBePresented: IssuanceApi["getRequestedCrede
   async (issuerRequestUri, clientId, issuerConf, appFetch = fetch) => {
     Logger.log(
       LogLevel.DEBUG,
-      `The requeste credential is not a PersonIdentificationData, requesting the credential to be presented`
+      "The requested credential is not a PID, requesting the credential to be presented"
     );
 
     const authzRequestEndpoint = issuerConf.authorization_endpoint;
@@ -94,61 +97,39 @@ export const getRequestedCredentialToBePresented: IssuanceApi["getRequestedCrede
       `Requesting the request object to ${authzRequestEndpoint}?${params.toString()}`
     );
 
-    const authRequest = await fetchAuthorizationRequest({
-      authorizeRequestUrl: `${authzRequestEndpoint}?${params.toString()}`,
-      callbacks: {
-        fetch: appFetch,
-      },
-    }).catch(sdkUnexpectedStatusCodeToIssuerError);
+    const requestObjectJwt = await appFetch(
+      `${authzRequestEndpoint}?${params.toString()}`,
+      { method: "GET" }
+    )
+      .then(hasStatusOrThrow(200, IssuerResponseError))
+      .then((res) => res.text());
 
     const parsedAuthRequest = await parseAuthorizeRequest({
       config: sdkConfigV1_3,
-      requestObjectJwt: authRequest.requestObjectJwt,
-      callbacks: partialCallbacks,
+      requestObjectJwt,
+      callbacks: {
+        verifyJwt: createVerifyJwtFromJwks(issuerConf.keys),
+      },
     });
 
     return mapToRequestObject(parsedAuthRequest);
   };
 
+// NOTE: this function is not used in the 1.3 issuance flow. It may be removed in the future.
 export const completeUserAuthorizationWithFormPostJwtMode: IssuanceApi["completeUserAuthorizationWithFormPostJwtMode"] =
-  async (
-    requestObject,
-    issuerConfig,
-    pid,
-    { wiaCryptoContext, pidKeyTag, appFetch = fetch }
-  ) => {
+  async (requestObject, issuerConfig, pid, { appFetch = fetch }) => {
     Logger.log(
       LogLevel.DEBUG,
-      `The requeste credential is not a PersonIdentificationData, completing the user authorization with form_post.jwt mode`
-    );
-
-    const dcqlQueryResult = await RemotePresentationFlow.evaluateDcqlQuery(
-      requestObject.dcql_query as DcqlQuery,
-      [[pidKeyTag, pid]]
+      "The requested credential is not a PID, completing the user authorization with form_post.jwt mode"
     );
 
-    const authRequestObject = {
-      nonce: requestObject.nonce,
-      clientId: requestObject.client_id,
-      responseUri: requestObject.response_uri,
-    };
-
-    const remotePresentation =
-      await RemotePresentationFlow.prepareRemotePresentations(
-        dcqlQueryResult,
-        authRequestObject
-      );
-
-    const authzResponsePayload = await createAuthzResponsePayload({
-      state: requestObject.state,
-      remotePresentation,
-      wiaCryptoContext,
+    const authzResponse = await processPidPresentationAndCreateAuthzResponse({
+      requestObject,
+      issuerConfig,
+      pid,
     });
 
-    Logger.log(
-      LogLevel.DEBUG,
-      `Authz response payload: ${authzResponsePayload}`
-    );
+    Logger.log(LogLevel.DEBUG, `Authz response: ${authzResponse}`);
 
     const issuerSigKey = issuerConfig.keys.find((key) => key.use === "sig");
     if (!issuerSigKey) {
@@ -158,13 +139,13 @@ export const completeUserAuthorizationWithFormPostJwtMode: IssuanceApi["complete
     }
 
     return sendAuthorizationResponseAndExtractCode({
-      authorizationResponseJarm: authzResponsePayload,
+      authorizationResponseJarm: authzResponse.jarm.responseJwe,
       callbacks: {
         ...partialCallbacks,
         fetch: appFetch,
       },
       iss: requestObject.iss,
-      state: requestObject.state!,
+      state: requestObject.state ?? "",
       presentationResponseUri: requestObject.response_uri,
       signer: {
         alg: "ES256",
@@ -174,6 +155,62 @@ export const completeUserAuthorizationWithFormPostJwtMode: IssuanceApi["complete
     });
   };
 
+export const completeEaaUserAuthorizationWithQueryMode: IssuanceApi["completeEaaUserAuthorizationWithQueryMode"] =
+  async (
+    requestObject,
+    issuerConfig,
+    pid,
+    clientRedirectUri,
+    { appFetch = fetch } = {}
+  ) => {
+    Logger.log(
+      LogLevel.DEBUG,
+      "The requested credential is not a PID, completing the user authorization with query mode"
+    );
+
+    const authzResponse = await processPidPresentationAndCreateAuthzResponse({
+      requestObject,
+      issuerConfig,
+      pid,
+    });
+
+    Logger.log(LogLevel.DEBUG, `Authz response: ${authzResponse}`);
+
+    const { redirect_uri } = await fetchAuthorizationResponse({
+      authorizationResponseJarm: authzResponse.jarm.responseJwe,
+      presentationResponseUri: requestObject.response_uri,
+      callbacks: {
+        ...partialCallbacks,
+        fetch: appFetch,
+      },
+    });
+
+    if (!redirect_uri) {
+      const errorMessage =
+        "The authorization server did not return a redirect_uri to continue the authorization flow";
+      Logger.log(LogLevel.ERROR, errorMessage);
+      throw new AuthorizationError(errorMessage);
+    }
+
+    const response = await appFetch(redirect_uri).catch(() => null);
+
+    if (!response || !response.ok) {
+      const errorMessage = `An error occurred while completing the authorization flow. Ensure ${clientRedirectUri} is a valid HTTP url for redirect`;
+      Logger.log(LogLevel.ERROR, errorMessage);
+      throw new AuthorizationError(errorMessage);
+    }
+
+    const finalRedirectUri = response.url;
+
+    if (!finalRedirectUri || !finalRedirectUri.startsWith(clientRedirectUri)) {
+      const errorMessage = `The authorization server did not redirect to the provided client redirect URI. Expected: ${clientRedirectUri}, got: ${finalRedirectUri}`;
+      Logger.log(LogLevel.ERROR, errorMessage);
+      throw new AuthorizationError(errorMessage);
+    }
+
+    return parseAuthorizationResponse(parseUrl(finalRedirectUri).query);
+  };
+
 /**
  * Parse the authorization response and return the result which contains code, state and iss.
  * @throws {AuthorizationError} if an error occurs during the parsing process
@@ -207,45 +244,52 @@ export const parseAuthorizationResponse = (
 };
 
 /**
- * Creates the authorization response payload to be sent.
- * This payload includes the state and the VP tokens for the presented credentials.
- * The payload is encoded in Base64.
- * @param state - The state parameter from the request object (optional).
- * @param remotePresentation The presentations to send, each with their VP token
- * @returns The Base64 encoded authorization response payload.
+ * Utility function to process the DCQL query for PID presentation and to create the authorization response to send to the Issuer.
+ * @param params.requestObject - The request object containing the DCQL query
+ * @param params.issuerConfig - The Issuer unified configuration
+ * @param params.pid - The PID credential to be presented, as a tuple of [keyTag, credential]
+ * @returns The authorization response containing the JARM to be sent to the Issuer
  */
-const createAuthzResponsePayload = async ({
-  state,
-  remotePresentation,
-  wiaCryptoContext,
+const processPidPresentationAndCreateAuthzResponse = async ({
+  requestObject,
+  issuerConfig,
+  pid,
 }: {
-  state?: string;
-  remotePresentation: RemotePresentation;
-  wiaCryptoContext: CryptoContext;
-}): Promise<string> => {
-  const { kid } = await wiaCryptoContext.getPublicKey();
-
-  return new SignJWT(wiaCryptoContext)
-    .setProtectedHeader({
-      typ: "jwt",
-      kid,
-    })
-    .setPayload({
-      /**
-       * TODO [SIW-2264]: `state` coming from `requestObject` is marked as `optional`
-       * At the moment, it is not entirely clear whether this value can indeed be omitted
-       * and, if so, what the consequences of its absence might be.
-       */
-      ...(state ? { state } : {}),
-      vp_token: remotePresentation.presentations.reduce(
-        (vp_token, { credentialId, vpToken }) => ({
-          ...vp_token,
-          [credentialId]: [vpToken],
-        }),
-        {}
-      ),
-    })
-    .setIssuedAt()
-    .setExpirationTime("1h")
-    .sign();
+  requestObject: RequestObject;
+  issuerConfig: IssuerConfig;
+  pid: [keyTag: string, credential: string];
+}): Promise<CreateAuthorizationResponseResult> => {
+  const dcqlQueryResult = await RemotePresentationFlow.evaluateDcqlQuery(
+    requestObject.dcql_query as DcqlQuery,
+    [pid]
+  );
+
+  const remotePresentation =
+    await RemotePresentationFlow.prepareRemotePresentations(dcqlQueryResult, {
+      clientId: requestObject.client_id,
+      nonce: requestObject.nonce,
+      responseUri: requestObject.response_uri,
+    });
+
+  const vp_token = remotePresentation.presentations.reduce(
+    (acc, { credentialId, vpToken }) => ({ ...acc, [credentialId]: [vpToken] }),
+    {} as Record<string, string[]>
+  );
+
+  return createAuthorizationResponse({
+    // The SDK 1.4 config is used here in order to resolve the encryption data from the Request Object
+    // client_metadata, otherwise OpenID Federation clients always ignore client_metadata as per 1.3.3 specs.
+    config: sdkConfigV1_4,
+    requestObject,
+    rpJwks: {
+      jwks: { keys: issuerConfig.keys } as jsonWebKeySet,
+      encrypted_response_enc_values_supported:
+        issuerConfig.encrypted_response_enc_values_supported,
+    },
+    vp_token,
+    callbacks: {
+      encryptJwe: partialCallbacks.encryptJwe,
+      generateRandom: partialCallbacks.generateRandom,
+    },
+  });
 };

package/src/credential/issuance/v1.3.3/05-obtain-credential.ts

@@ -112,7 +112,7 @@ export const requestCredentials = async ({
     },
     clientId,
     credential_identifier: credentialIdentifier,
-    issuerIdentifier: issuerConf.credential_issuer,
+    issuerIdentifier: issuerConf.credential_endpoint,
     maxBatchSize: issuerConf.credential_issuance_batch_size,
     nonce: c_nonce,
     keyAttestation: keyAttestationJwt,

package/src/credential/issuance/v1.3.3/index.ts

@@ -3,7 +3,8 @@ import { evaluateIssuerTrust } from "./01-evaluate-issuer-trust";
 import { startUserAuthorization } from "./02-start-user-authorization";
 import {
   continueUserAuthorizationWithMRTDPoPChallenge,
-  completeUserAuthorizationWithQueryMode,
+  completePidUserAuthorizationWithQueryMode,
+  completeEaaUserAuthorizationWithQueryMode,
   completeUserAuthorizationWithFormPostJwtMode,
   buildAuthorizationUrl,
   getRequestedCredentialToBePresented,
@@ -20,7 +21,8 @@ export const Issuance: IssuanceApi = {
   evaluateIssuerTrust,
   startUserAuthorization,
   buildAuthorizationUrl,
-  completeUserAuthorizationWithQueryMode,
+  completePidUserAuthorizationWithQueryMode,
+  completeEaaUserAuthorizationWithQueryMode,
   continueUserAuthorizationWithMRTDPoPChallenge,
   getRequestedCredentialToBePresented,
   completeUserAuthorizationWithFormPostJwtMode,

package/src/credential/issuance/v1.3.3/mappers.ts

@@ -41,6 +41,7 @@ export const mapToIssuerConfig = createMapper<
     const {
       oauth_authorization_server,
       openid_credential_issuer,
+      openid_credential_verifier,
       federation_entity,
     } = x.metadata;
 
@@ -67,10 +68,12 @@ export const mapToIssuerConfig = createMapper<
       pushed_authorization_request_endpoint:
         oauth_authorization_server.pushed_authorization_request_endpoint,
       token_endpoint: oauth_authorization_server.token_endpoint,
-      nonce_endpoint: openid_credential_issuer.nonce_endpoint!,
+      nonce_endpoint: openid_credential_issuer.nonce_endpoint ?? "",
       federation_entity: federation_entity ?? {},
       credential_issuance_batch_size:
         openid_credential_issuer.batch_credential_issuance?.batch_size,
+      encrypted_response_enc_values_supported:
+        openid_credential_verifier?.encrypted_response_enc_values_supported,
     };
   },
   { outputSchema: IssuerConfig } // Output validation for extra-safety
@@ -79,13 +82,9 @@ export const mapToIssuerConfig = createMapper<
 export const mapToRequestObject = createMapper<
   ParsedAuthorizeRequestResult,
   RequestObject
->(({ payload }) => ({
-  iss: payload.iss ?? "UNKNOWN_ISSUER",
-  client_id: payload.client_id,
-  dcql_query: payload.dcql_query,
-  nonce: payload.nonce,
-  response_uri: payload.response_uri,
-  state: payload.state,
-  response_mode: payload.response_mode,
-  response_type: payload.response_type,
+>(({ header, payload }) => ({
+  ...payload,
+  iss: payload.iss ?? "",
+  trust_chain: header.trust_chain,
+  x5c: header.x5c as string[] | undefined,
 }));

package/src/credential/presentation/api/05-verify-request-object.ts

@@ -7,7 +7,7 @@ export interface VerifyRequestObjectApi {
    * @since 1.0.0
    *
    * @param requestObjectEncodedJwt The Request Object in JWT format
-   * @param params.clientId The client ID to verify
+   * @param params.clientId The client ID to verify (it may include a prefix)
    * @param params.rpConf Optional Relying Party configuration (OpenID Federation clients only)
    * @param params.state Optional state
    * @returns The verified Request Object

package/src/credential/presentation/api/types.ts

@@ -72,13 +72,9 @@ export type RemotePresentationDetails = {
 type ClientMetadata = {
   jwks: jsonWebKeySet;
   encrypted_response_enc_values_supported: string[];
-  client_id: string;
-  client_name: string;
-  logo_uri: string;
-  application_type: "web";
-  request_uris: string[];
-  response_uris: string[];
   vp_formats_supported: Record<string, { "sd-jwt_alg_values"?: string[] }>;
+  client_name?: string;
+  logo_uri?: string;
 };
 
 /**
@@ -88,7 +84,7 @@ export type RequestObject = {
   iss: string;
   response_uri: string;
   nonce: string;
-  state: string;
+  state?: string;
   client_id: string;
   dcql_query: Record<string, unknown>;
   response_type: "vp_token";

package/src/credential/presentation/common/utils/http.ts

@@ -9,11 +9,11 @@ import type { DirectAuthorizationBodyPayload } from "../../v1.0.0/types";
  * @returns A URL-encoded string suitable for an `application/x-www-form-urlencoded` POST body.
  */
 export const buildDirectPostBody = async (
-  requestObject: RequestObject,
+  { state }: RequestObject,
   payload: DirectAuthorizationBodyPayload
 ): Promise<string> => {
   const formUrlEncodedBody = new URLSearchParams({
-    state: requestObject.state,
+    ...(state && { state }),
     ...Object.entries(payload).reduce(
       (acc, [key, value]) => ({
         ...acc,

package/src/credential/presentation/v1.0.0/07-send-authorization-response.ts

@@ -81,7 +81,7 @@ export const buildDirectPostJwtBody = async (
   // Build the x-www-form-urlencoded form body
   const formBody = new URLSearchParams({
     response: encryptedResponse,
-    state: requestObject.state,
+    ...(requestObject.state && { state: requestObject.state }),
   });
   return formBody.toString();
 };

package/src/credential/presentation/v1.3.3/05-verify-request-object.ts

@@ -14,7 +14,7 @@ import { mapToRequestObject } from "./mappers";
 import type { RawRequestObject } from "./types";
 
 export const verifyRequestObject: RemotePresentationApi["verifyRequestObject"] =
-  async (requestObjectEncodedJwt, { clientId, rpConf }) => {
+  async (requestObjectEncodedJwt, { clientId: fullClientId, rpConf }) => {
     const parsedRequestObject = await sdkParseAuthorizeRequest({
       config: sdkConfigV1_3,
       requestObjectJwt: requestObjectEncodedJwt,
@@ -25,17 +25,22 @@ export const verifyRequestObject: RemotePresentationApi["verifyRequestObject"] =
 
     const rawRequestObject = parsedRequestObject as RawRequestObject;
 
-    const clientIdPrefix = extractClientIdPrefix(clientId);
+    const { prefix, clientId } = extractClientIdPrefix(fullClientId);
 
-    if (clientIdPrefix === ClientIdPrefix.X509_HASH) {
+    if (prefix === ClientIdPrefix.X509_HASH) {
       validateX509HashClient(rawRequestObject.header.x5c, clientId);
     }
 
     if (
-      clientIdPrefix === ClientIdPrefix.OPENID_FEDERATION ||
-      clientIdPrefix === ClientIdPrefix.NONE
+      prefix === ClientIdPrefix.OPENID_FEDERATION ||
+      prefix === ClientIdPrefix.NONE
     ) {
-      validateOpenIDFederationClient(rawRequestObject, clientId, rpConf);
+      validateOpenIDFederationClient(
+        rawRequestObject,
+        fullClientId,
+        clientId,
+        rpConf
+      );
     }
 
     return {
@@ -45,6 +50,7 @@ export const verifyRequestObject: RemotePresentationApi["verifyRequestObject"] =
 
 const validateOpenIDFederationClient = (
   requestObject: RawRequestObject,
+  fullClientId: string,
   clientId: string,
   rpConf: RelyingPartyConfig | undefined
 ) => {
@@ -55,8 +61,8 @@ const validateOpenIDFederationClient = (
   }
 
   const isClientIdMatch =
-    clientId === requestObject.payload.client_id &&
-    stripOpenIdFederationPrefix(clientId) === rpConf.subject;
+    fullClientId === requestObject.payload.client_id &&
+    clientId === rpConf.subject;
 
   if (!isClientIdMatch) {
     throw new InvalidRequestObjectError(
@@ -67,10 +73,8 @@ const validateOpenIDFederationClient = (
 
 const validateX509HashClient = (
   certificateChain: string[],
-  clientId: string
+  x509Hash: string
 ) => {
-  const [, x509Hash] = clientId.split(":");
-
   const calculatedHash = QuickCrypto.createHash("sha-256")
     .update(certificateChain[0]!, "base64")
     .digest("base64url");
@@ -81,6 +85,3 @@ const validateX509HashClient = (
     );
   }
 };
-
-const stripOpenIdFederationPrefix = (clientId: string) =>
-  clientId.replace("openid_federation:", "");

package/src/credential/presentation/v1.3.3/07-send-authorization-response.ts

@@ -17,6 +17,7 @@ import { AuthorizationResponse } from "./types";
 import { buildDirectPostBody } from "../common/utils/http";
 import { prepareVpToken } from "../../../sd-jwt";
 import { createCryptoContextFor } from "../../../utils/crypto";
+import { sdkConfigV1_3 } from "../../../utils/config";
 import { prepareVpTokenMdoc } from "../../../mdoc";
 
 /**
@@ -126,6 +127,7 @@ export const sendAuthorizationResponse: RemotePresentationApi["sendAuthorization
       );
 
       const { jarm } = await sdkCreateAuthorizationResponse({
+        config: sdkConfigV1_3,
         requestObject,
         rpJwks,
         vp_token,

package/src/credential/presentation/v1.3.3/mappers.ts

@@ -21,7 +21,7 @@ export const mapToRelyingPartyConfig = createMapper<
 
 export const mapToRequestObject = createMapper<RawRequestObject, RequestObject>(
   ({ payload, header }) => ({
-    iss: payload.iss,
+    iss: payload.iss ?? "",
     client_id: payload.client_id,
     dcql_query: payload.dcql_query,
     nonce: payload.nonce,